Code Scan Inventory

Prerequisite: Verify that your user role has the required ACF permission to view code scan inventory. To enable ACF permission, click here.

Viewing the Code Scan Inventory

To view the code scan inventory:
To view the Code Scan inventory, go to Menu > Quantum Trust Hub > Inventory > Code.
You will be redirected to the Code Scan Inventory.

The code scan inventory is divided into three tabs:

  • Direct Cryptographic Usage

    This tab displays the scan results for cryptographic functions that are called directly from your application's first-party code. For details, see Direct Cryptographic Usage.

  • Cryptographic Dependencies

    This tab displays the scan results for the external libraries, modules, or packages that the source code relies on for performing cryptographic operations. For details, see Cryptographic Dependencies.

  • Upload Custom Library

    This tab lets you upload a custom defined class or method, which is not a direct call of the supported libraries, for PQC assessment scanning. For details, see Uploading Custom Libraries for Code Scanning.

Common Inventory Functions

The table below explains the inventory functions that are common to both tabs, Direct Cryptographic Usage and Cryptographic Dependencies.
Feature Description
Filters To filter the inventory for viewing specific data:
  1. From one or more of the following dropdown lists, select the required filtering criteria:
    • Quantum Readiness
    • Severity
    • Repository
  2. Click Apply.
Search Enter free text or keywords to search for specific entries in the inventory.
Export To export the inventory data:
  1. Select at least one record from the inventory to export the corresponding data.
  2. From the menu bar, click Export.
  3. From the How would you like to download the data? Dialog box, select your preferred export file format (CSV or XLS).
  4. Click Submit.

    The inventory data is downloaded to your local system as a zipped file.

Pagination Use the pagination control dropdown to select the number of records that will be displayed per page of the inventory.

You can select to display 25, 50, 75, or 100 records per page of the inventory.
Pagination Navigation Use the pagination navigation buttons to move between the pages in the inventory.
Refresh Use the Refresh button to reload the inventory to display the up-to-date records.

Direct Cryptographic Usage

Direct cryptographic usage refers to the algorithms, class names, and methods mentioned in the source code.
The Direct Cryptographic Usage tab in the code scan inventory displays the following details for all code scanned across repositories:
Table 1. Column descriptions for the Direct cryptographic usage inventory
Column Description
Repo Name Name of the repository where the scanned code is located.
File path Location of the code file within the repository.
Class name Class within the file where the cryptographic operation is implemented.
Method name Method that invokes the cryptographic operation.
Language Programming language used to write the code.
Line number Line number in the code where the cryptographic call is written.
Crypto Category Type of cryptographic item detected in the code.
Algorithm Name [For Crypto Category = Algorithm] Algorithm invoked via the code
Algorithm Type [For Crypto Category = Algorithm] Algorithm type (Asymmetric, Symmetric, Message Authentication Code, and so on) invoked via the code
Severity Level of risk posed by the cryptographic operation scanned.
Quantum Readiness Quantum readiness status of the crypto category detected.
Recommendation Action Suggested next steps, according to the severity and the quantum readiness status.

Cryptographic Dependencies

Code scan for cryptographic dependencies refers to the assessment of external libraries, packages, and frameworks that your code depends on. Your code doesn’t call the crypto functions directly; it inherits the cryptography from these external dependencies.

The Cryptographic Dependencies tab in the code scan inventory displays the following details for all code scanned across repositories:

Table 2. Column descriptions for the cryptographic dependencies inventory
Column Description
Repo Name Name of the repository where the scanned code is located.
File path Location of the code file within the repository.
Library name Cryptographic library (external) used.
Version Version number of the cryptographic library detected (required to assess the quantum safety of the library).
Crypto Category Type of cryptographic item detected in the code.
Cryptographic Library Source Source of the cryptography library.
Quantum Readiness Quantum readiness status of the cryptographic category and library detected.
Recommendation action Suggested next steps, according to the severity and the quantum readiness status.

Uploading Custom Libraries for Code Scanning

In addition to scanning in-built as well as external cryptographic libraries, AppviewX lets you upload a custom defined class or method that is not a direct method call of the supported libraries for assessing its crypto compliance. For example, a wrapper class that is built on top of Bouncy Castle or a new library defined by a user that is not currently supported by AppViewX.

To do this:

  1. Go to Menu > Quantum Trust Hub > Inventory > Code.
    The Code Scan Inventory page is displayed.
  2. From the menu bar, go to the Upload Custom Library tab.
    The Get Started with Custom Library Upload page is displayed.
  3. Click Download Sample Template and save the CSV template file on your local machine.
  4. In the CSV template file, enter the following details as relevant to your custom library:
    • Class name
    • Method name
    • Language
    • Library name
    • Algorithm used
    Note: Class name and Method name are mandatory inputs for the Java and Python languages. The class name of Python is expected to be a fully classified name from the package. For example crypto.example.aes. Class name can be skipped for C and CPP.
  5. On the Get Started with Custom Library Upload page, to upload the filled template file from your local machine:

    • Drag & Drop the template file from your local machine.

      OR

    • Click to upload the file from your local machine.
  6. Test
    The Custom Library Preview is updated automatically based on the library details you uploaded.

Viewing the Custom Library Scan Results

The table below explains the inventory functions in the Custom Library Preview.
Feature Description
Search custom library data Enter free text or keywords to search for specific entries in the inventory.
Pagination Use the pagination control dropdown to select the number of records that will be displayed per page of the inventory.

You can select to display 25, 50, 75, or 100 records per page of the inventory.
Pagination Navigation Use the pagination navigation buttons to move between the pages in the inventory.
Refresh Use the Refresh button to reload the inventory to display the up-to-date records.
For the custom library scanned, the Custom Library Preview displays the following details:
Table 3. Column descriptions for the custom libraries
Feature Description
Class Name Class in the custom library that contains the cryptographic logic.
Method Name Method in which the cryptographic logic is used.
Language Programming language in which the custom library is written.
Library Name Name of the custom library.
Algorithm Cryptographic algorithm used for the operation.
Quantum Readiness Quantum safety status of the custom library.
Recommendations Suggested next steps, according to the quantum readiness status.